Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fixes and qol

Browse source
This commit is contained in:
Grimmauld 2025-01-26 21:43:23 +01:00
parent d50a73ab06
commit e6205dd705
No known key found for this signature in database
30 changed files with 878 additions and 187 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
common/hardware/laptop.nix
View file

@ -59,14 +59,14 @@ in
# serviceConfig.Type = "oneshot"; # serviceConfig.Type = "oneshot";
#}; #};
systemd.enableCgroupAccounting = true; # systemd.enableCgroupAccounting = true;
# systemd.enableUnifiedCgroupHierarchy = false; # systemd.enableUnifiedCgroupHierarchy = false;
boot = { boot = {
kernelParams = [ kernelParams = [
# "intel_iommu=on" # "intel_iommu=on"
"nohibernate" "nohibernate"
"pcie_aspm=off" # "pcie_aspm=off"
]; ];
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [ initrd.availableKernelModules = [

24
common/tooling/default.nix
View file

@ -38,24 +38,22 @@ in
(writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'') (writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'')
urlencode urlencode
rfindup
pstree
file
wget wget
bat bat
hyfetch fastfetch
btop
eza eza
starship starship
fd
ripgrep
file
pstree
rfindup
btop
unzip unzip
fbcat fbcat
# gomuks
imagemagick
nmap
parted
expect expect
gptfdisk gptfdisk
qrencode qrencode
@ -78,8 +76,12 @@ in
environment.sessionVariables = { environment.sessionVariables = {
MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'"; MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'";
MANROFFOPT = "-c"; MANROFFOPT = "-c";
SYSTEMD_PAGER = getExe pkgs.bat;
SYSTEMD_PAGERSECURE = "true";
}; };
programs.command-not-found.enable = true;
documentation.dev.enable = true; documentation.dev.enable = true;
# virtualisation.docker.enable = true; # virtualisation.docker.enable = true;
@ -87,7 +89,7 @@ in
services.dbus.implementation = "broker"; services.dbus.implementation = "broker";
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
# zramSwap.enable = false; # zramSwap.enable = false;
}; };
options.grimmShared.tooling = { options.grimmShared.tooling = {

3
common/tooling/nix-index.nix
View file

@ -16,6 +16,9 @@ in
}; };
users.groups."${user}" = { }; users.groups."${user}" = { };
# programs.nix-index.enable = true;
# programs.nix-index.enableBashIntegration = true;
nix.settings.allowed-users = [ user ]; nix.settings.allowed-users = [ user ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

3
common/tooling/nix.nix
View file

@ -16,7 +16,8 @@
nixpkgs-hammering nixpkgs-hammering
nix-output-monitor nix-output-monitor
nix-search-cli nix-search-cli
niv nix-update
# niv
nvd nvd
vulnix vulnix
nix-init nix-init

2
common/xdg/default.nix
View file

@ -14,4 +14,6 @@
}; };
}; };
xdg.icons.enable = true;
} }

6
common/xdg/portals.nix
View file

@ -32,9 +32,9 @@ in
xdgOpenUsePortal = true; xdgOpenUsePortal = true;
extraPortals = with pkgs; [ extraPortals = with pkgs; [
xdg-desktop-portal-wlr xdg-desktop-portal-wlr
xdg-desktop-portal-kde # xdg-desktop-portal-kde
xdg-desktop-portal-gtk # xdg-desktop-portal-gtk
lxqt.xdg-desktop-portal-lxqt # lxqt.xdg-desktop-portal-lxqt
]; ];
wlr.enable = true; wlr.enable = true;

24
flake.lock generated
View file

@ -10,11 +10,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1736590503, "lastModified": 1737538029,
"narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=", "narHash": "sha256-I4mWZEWV1c+sPb5f8liQxYdEjRxMR0UzY6dgP5zj2Kc=",
"owner": "LordGrimmauld", "owner": "LordGrimmauld",
"repo": "aa-alias-manager", "repo": "aa-alias-manager",
"rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93", "rev": "14b4d3f64c06f6c4457a1d117bb201410422009d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -141,11 +141,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737474213, "lastModified": 1737534778,
"narHash": "sha256-p4hHWikaYgtZmZlas1b/p2+R72j7ZtUmGp2qoC1VcbI=", "narHash": "sha256-7h/lJWRzKKCmpKmgGk2ZzWbj73Dqi607grXC/EhFQMI=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "04e70503425690319c25814497f682145dd442c6", "rev": "a650b785c5d2b064777e0c5af7a414267a8fc934",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -495,11 +495,11 @@
"nixpkgs-24_11": "nixpkgs-24_11" "nixpkgs-24_11": "nixpkgs-24_11"
}, },
"locked": { "locked": {
"lastModified": 1735230346, "lastModified": 1737201600,
"narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=", "narHash": "sha256-JBh5+g8oQteQdQqbO07dGHBRQo/NGI61JPlTjdfQ1pk=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b", "rev": "ade37b2765032f83d2d4bd50b6204a40a4c05eb4",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -531,11 +531,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1737062831, "lastModified": 1737469691,
"narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
flake.nix
View file

@ -68,6 +68,10 @@
}: }:
let let
patches = [ patches = [
{
url = "https://github.com/NixOS/nixpkgs/pull/376376.patch?full_index=1";
hash = "sha256-LtMtv1SiCAS/gotcc8MLny4IXCjY/EnLR0pH9XaCVCo=";
}
]; ];
customNixosSystem = customNixosSystem =

10
hardening/default.nix
View file

@ -1,7 +1,6 @@
{ {
lib, lib,
pkgs, pkgs,
config,
... ...
}: }:
{ {
@ -13,13 +12,16 @@
./security.nix ./security.nix
]; ];
specialisation.unhardened.configuration = { }; specialisation.unhardened.configuration = {
# services.opensnitch.enable = lib.mkForce false; services.opensnitch.enable = lib.mkForce false;
security.apparmor.enable = lib.mkForce false;
};
#
systemd.tpm2.enable = false; systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false; systemd.enableEmergencyMode = false;
virtualisation.vswitch.enable = false; virtualisation.vswitch.enable = false;
# services.resolved.enable = false; services.resolved.enable = false;
security.unprivilegedUsernsClone = true; security.unprivilegedUsernsClone = true;
environment.defaultPackages = lib.mkForce [ ]; environment.defaultPackages = lib.mkForce [ ];
environment.systemPackages = with pkgs; [ nano ]; environment.systemPackages = with pkgs; [ nano ];

690
hardening/opensnitch/vesktop.nix Normal file
View file

@ -0,0 +1,690 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
optional
getBin
getExe
concatLines
getExe'
escapeRegex
getVersion
mkIf
filter
split
strings
concatStringsSep
length
isString
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (
config.services.opensnitch.settings.ProcMonitorMethod == "audit"
) pkgs.audit.bin;
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
};
rules = {
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
# pkg = pkgs.firefox-unwrapped;
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
block-list = {
name = "block-list";
action = "deny";
enabled = true;
duration = "always";
inherit created;
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix { };
};
};
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
}
{
type = "simple";
operand = "dest.port";
data = "53";
}
{
type = "lists";
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
}
{
type = "simple";
operand = "user.id";
data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
}
];
};
};
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe config.nix.package;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(channels|cache)\\.nixos\\.org";
}
];
};
};
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
vesktop_deny = mkIf (graphical) {
name = "vesktop-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
vesktop_allow = mkIf (graphical) {
name = "vesktop-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
};
};
vesktop_daemon_deny = mkIf (graphical) {
name = "vesktop-daemon-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf (graphical) {
name = "vesktop-daemon-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "regexp";
operand = "dest.port";
data = "5353|53";
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "regexp";
operand = "dest.port";
data = "547|67";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type = "regexp";
operand = "dest.port";
data = "53|631|80";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "regexp";
operand = "dest.port";
data = "123|37|53";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
data = "154";
}
];
};
};
nextcloud = mkIf (false) {
# config.grimmShared.cloudSync.enable
name = "nextcloud";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data =
let
l = (filter isString (split "\\." config.grimmShared.cloudSync.server));
in
(strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
# config.grimmShared.cloudSync.server;
}
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
];
};
};
};
};
};
}

75
hardening/systemd/default.nix
View file

@ -19,7 +19,7 @@ in
./acpid.nix ./acpid.nix
./cups.nix ./cups.nix
./bluetooth.nix ./bluetooth.nix
./tty.nix # ./tty.nix
./ask-password.nix ./ask-password.nix
# ./nix-daemon.nix # ./nix-daemon.nix
./nscd.nix ./nscd.nix
@ -28,77 +28,4 @@ in
./global ./global
]; ];
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig =
let
shouldMakeIntrusive = (
noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
);
in
mkIf (osConfig.specialisation != { }) (
{
ProtectHome = mkDefault true;
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
}
// (lib.optionalAttrs shouldMakeIntrusive {
# PrivateTmp = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
})
);
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
opensnitchd.serviceConfig = {
ProtectHome = false;
PrivateTmp = false;
ProtectKernelLogs = false;
};
"user-runtime-dir@".serviceConfig.ProtectHome = false;
"user@".serviceConfig.ProtectHome = false;
systemd-homed.serviceConfig.ProtectHome = false;
systemd-homed-activate.serviceConfig.ProtectHome = false;
sshd.serviceConfig.ProtectHome = false;
display-manager.serviceConfig.ProtectHome = "read-only";
dbus-broker.serviceConfig.ProtectHome = "read-only";
systemd-logind.serviceConfig.ProtectHome = false;
nix-daemon.serviceConfig.ProtectHome = false;
zfs-mount.serviceConfig.PrivateTmp = false;
kmod-static-nodes.serviceConfig.PrivateTmp = false;
mount-pstore.serviceConfig.PrivateTmp = false;
# todo: tpm things
#polkit.serviceConfig.NoNewPrivileges = false;
#"getty@".serviceConfig.NoNewPrivileges = false;
#"user@".serviceConfig.NoNewPrivileges = false;
# todo: dbus?
auditd.serviceConfig.ProtectKernelLogs = false;
audit.serviceConfig.ProtectKernelLogs = false;
"getty@".serviceConfig.SystemCallFilter = "";
display-manager.serviceConfig.SystemCallFilter = "";
sshd.serviceConfig.SystemCallFilter = "";
rtkit-daemon.serviceConfig.SystemCallFilter = "";
};
};
} }

1
hardening/systemd/global/default.nix
View file

@ -3,5 +3,6 @@
./hostname.nix ./hostname.nix
./clock.nix ./clock.nix
./realtime.nix ./realtime.nix
./syscall_arch.nix
]; ];
} }

22
hardening/systemd/global/syscall_arch.nix Normal file
View file

@ -0,0 +1,22 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
osConfig = config;
in
{
options.systemd.services = lib.mkOption {
type = types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
SystemCallArchitectures = mkDefault "native";
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
};
};
}

5
hardening/systemd/nix-daemon.nix
View file

@ -7,7 +7,6 @@
config.systemd.services = lib.mkIf (config.specialisation != { }) { config.systemd.services = lib.mkIf (config.specialisation != { }) {
nix-daemon.serviceConfig = { nix-daemon.serviceConfig = {
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow??? RestrictSUIDSGID = true; # good, somehow???
@ -15,7 +14,7 @@
"AF_UNIX" "AF_UNIX"
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
"AF_NETLINK" # needed for some checks # "AF_NETLINK" # needed for some checks
]; # needed to download sources and caches ]; # needed to download sources and caches
RestrictNamespaces = [ RestrictNamespaces = [
"user" "user"
@ -65,6 +64,8 @@
"CAP_DAC_OVERRIDE" "CAP_DAC_OVERRIDE"
]; ];
NoNewPrivileges = false; # build processes might need more
# ProtectKernelLogs=true; # BAD # ProtectKernelLogs=true; # BAD
# ProtectKernelTunables = true; # BAD # ProtectKernelTunables = true; # BAD
# PrivateUsers=true; BAD # PrivateUsers=true; BAD

2
hardening/systemd/sshd.nix
View file

@ -4,7 +4,7 @@
... ...
}: }:
{ {
config.systemd.services = { config.systemd.services = lib.mkIf (config.specialisation != { }) {
sshd.serviceConfig = { sshd.serviceConfig = {
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";

18
hm/common/default.nix
View file

@ -41,8 +41,10 @@ in
# kicad # kicad
prusa-slicer prusa-slicer
freecad # freecad
openscad openscad
iamb
confy
vlc vlc
# blender # blender
@ -121,6 +123,18 @@ in
]; ];
}; };
gtk.iconTheme = {
package = pkgs.adwaita-icon-theme;
name = "Adwaita";
};
gtk.theme = {
package = pkgs.gnome-themes-extra;
name = "Adwaita-dark";
};
gtk.enable = true;
programs.tmux = { programs.tmux = {
enable = true; enable = true;
clock24 = true; clock24 = true;
@ -161,5 +175,5 @@ in
pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty; pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty;
}; };
xdg.mimeApps.enable = true; # xdg.mimeApps.enable = true;
} }

5
hm/grimmauld/default.nix
View file

@ -7,9 +7,10 @@ in
inherit username; inherit username;
homeDirectory = "/home/${username}"; homeDirectory = "/home/${username}";
# file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk; file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk;
# file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub; file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub;
file.".cups/lpoptions".text = "Default pdf\n"; file.".cups/lpoptions".text = "Default pdf\n";
file.".config/iamb/config.toml".source = ./iamb_config.toml;
}; };
}; };
} }

2
hm/grimmauld/iamb_config.toml Normal file
View file

@ -0,0 +1,2 @@
[profiles."grimmauld.de"]
user_id = "@grimmauld:grimmauld.de"

2
modules/default.nix
View file

@ -6,7 +6,7 @@ in
{ {
imports = [ imports = [
./wireguard.nix ./wireguard.nix
# ./matrix.nix # ./matrix.nix
./matrix_legacy.nix ./matrix_legacy.nix
./puffer.nix ./puffer.nix
./gitea.nix ./gitea.nix

10
modules/matrix_legacy.nix
View file

@ -67,11 +67,11 @@ in
args = { args = {
user = "synapse"; user = "synapse";
database = "synapse"; database = "synapse";
port = config.services.postgresql.settings.port; port = config.services.postgresql.settings.port;
cp_max = 10; cp_max = 10;
cp_min = 5; cp_min = 5;
client_encoding = "auto"; client_encoding = "auto";
passfile = config.age.secrets.synapse_db_pass_prepared.path; passfile = config.age.secrets.synapse_db_pass_prepared.path;
}; };
}; };
settings.log_config = ./matrix_synapse_log_config.yaml; settings.log_config = ./matrix_synapse_log_config.yaml;

3
modules/ooye/default.nix
View file

@ -2,6 +2,5 @@
{ {
environment.systemPackages = with pkgs; [ ooye ]; environment.systemPackages = with pkgs; [ ooye ];
services.matrix-synapse-next.settings.app_service_config_files = [ ./registration.yaml ];
services.matrix-synapse-next.settings.app_service_config_files = [ ./registration.yaml ];
} }

3
overlays/default.nix
View file

@ -28,6 +28,7 @@
) )
) )
[ [
./lua_update.nix
./matrix-appservice-discord.nix ./matrix-appservice-discord.nix
./deskwhich.nix ./deskwhich.nix
./tlpui.nix ./tlpui.nix
@ -38,7 +39,7 @@
./ooye.nix ./ooye.nix
./factorio.nix ./factorio.nix
./ranger.nix ./ranger.nix
./opensnitch-ui.nix ./vesktop.nix
# ./ncspot.nix # ./ncspot.nix
# ./grpcio-tools.nix # ./grpcio-tools.nix
]; ];

28
overlays/grpcio-tools.nix
View file

@ -1,28 +0,0 @@
{ prev, final, ... }:
{
pythonPackagesOverlays = [
(python-final: python-prev: {
grpcio-tools = python-prev.grpcio-tools.overrideAttrs (old: {
version = "1.64.1";
src = prev.fetchPypi {
pname = "grpcio_tools";
version = "1.64.1";
hash = "sha256-crNVC5GtuDVGVuzw9tHUYRKZBEuuEfsefMHRu2a4wes=";
};
});
})
];
python311 =
let
self = prev.python311.override {
inherit self;
packageOverrides = prev.lib.composeManyExtensions final.pythonPackagesOverlays;
};
in
self;
python311Packages = final.python311.pkgs;
}

4
overlays/lua_update.nix Normal file
View file

@ -0,0 +1,4 @@
{ prev, ... }:
{
lua = prev.lua5_4_compat;
}

4
overlays/ncspot.nix
View file

@ -1,4 +0,0 @@
{ prev, config, ... }:
{
ncspot = prev.callPackage ../custom/ncspot/package.nix { };
}

6
overlays/opensnitch-ui.nix
View file

@ -1,6 +0,0 @@
{ final, prev, ... }:
{
opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ];
});
}

80
secrets/secrets.nix
View file

@ -8,25 +8,67 @@ let
contabo_nix_2 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyQYHq0tZBye/lTVz1aEI8UdmvHRu/NADNqr1C49fpBnfOAbMV7NkswHaIGvl9IG6oJlQmC+2vJCfriHocRBvLZ4/eA3oTWPsU7/wrLJBAjjYdwWiwZLit6QMSVISFEs47PoGOmLf+bIcX2SyQ8JGImhSFjEN9qwZFsHv1b+gd2CSowcAnfGyyEnn1X56eMWGW+YXzWQsBkjZL0orTNg89so1MleefdUDgj5AdAsqpdo+oIFouB+572mBKyhvh/v1roHg0Q4g/xZo3sUlH+qWQwR/JAM1MZtIH7WzNZXpEZR0hPClgdz8MYqHwZUAGyKmJmjBwUHqjK2hR6NcO7OxaGoyXWBUEZuYUzfGssOQAnP5PVYCaRvdaY5WQ4brE+EU0oYBCm5/DfrYbKSE1swZeggun0fuA3KFPVlK8ohVqVkbLwg1XwcqqR9+uh1WzLt4upIGT2rPISBVlj/pRgkQbzQ4g9T+FR7ieWZT77C2hxiKURHu/SKKUVLgfD8Vsr7s="; contabo_nix_2 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyQYHq0tZBye/lTVz1aEI8UdmvHRu/NADNqr1C49fpBnfOAbMV7NkswHaIGvl9IG6oJlQmC+2vJCfriHocRBvLZ4/eA3oTWPsU7/wrLJBAjjYdwWiwZLit6QMSVISFEs47PoGOmLf+bIcX2SyQ8JGImhSFjEN9qwZFsHv1b+gd2CSowcAnfGyyEnn1X56eMWGW+YXzWQsBkjZL0orTNg89so1MleefdUDgj5AdAsqpdo+oIFouB+572mBKyhvh/v1roHg0Q4g/xZo3sUlH+qWQwR/JAM1MZtIH7WzNZXpEZR0hPClgdz8MYqHwZUAGyKmJmjBwUHqjK2hR6NcO7OxaGoyXWBUEZuYUzfGssOQAnP5PVYCaRvdaY5WQ4brE+EU0oYBCm5/DfrYbKSE1swZeggun0fuA3KFPVlK8ohVqVkbLwg1XwcqqR9+uh1WzLt4upIGT2rPISBVlj/pRgkQbzQ4g9T+FR7ieWZT77C2hxiKURHu/SKKUVLgfD8Vsr7s=";
in in
{ {
# "nextcloud_pass.age".publicKeys = [ # "nextcloud_pass.age".publicKeys = [
# laptop_pub # laptop_pub
# yubi # yubi
# laptop_pub_ed # laptop_pub_ed
# ]; # ];
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; "synapse_db_pass.age".publicKeys = [
"openldap_admin.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; contabo_nix_pub
"nextcloud_server_key.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; contabo_nix_2
"keycloak_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; ];
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; "openldap_admin.age".publicKeys = [
"grafana_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; contabo_nix_pub
"nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; contabo_nix_2
"nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; ];
"synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; "nextcloud_server_key.age".publicKeys = [
"matrix_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; contabo_nix_pub
"matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; contabo_nix_2
"matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; ];
"matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; "keycloak_db_pass.age".publicKeys = [
"ptero_env.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; contabo_nix_pub
contabo_nix_2
];
"synapse_db_pass_prepared.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"grafana_admin_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"nextcloud_admin_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"nextcloud_db_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"synapse_registration_shared_secret.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_admin_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_mjolnir_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_mjolnir_tle_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_discord_bridge_token.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"ptero_env.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
} }

9
specific/grimm-nixos-server-2/configuration.nix
View file

@ -1,6 +1,7 @@
{ pkgs, lib, ... }: { { pkgs, lib, ... }:
{
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -15,6 +16,8 @@
networking.hostName = "grimm-nixos-server-2"; networking.hostName = "grimm-nixos-server-2";
networking.domain = "grimmauld.de"; networking.domain = "grimmauld.de";
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd'' ]; users.users.root.openssh.authorizedKeys.keys = [
''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd''
];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

14
specific/grimm-nixos-server-2/hardware-configuration.nix
View file

@ -2,8 +2,16 @@
{ {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
} }

2
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -46,7 +46,7 @@ in
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernelParams = [ "nosgx" ]; # boot.kernelParams = [ "nosgx" ];
security.lockKernelModules = false; # PAIN on an intended-portable setup security.lockKernelModules = false; # PAIN on an intended-portable setup
# security.protectKernelImage = false; # security.protectKernelImage = false;